As containerized applications continue to rise in popularity, ensuring their security becomes more and more crucial. With Kubernetes, you have a powerful tool for managing containers, but it doesn’t necessarily provide all the security features you need out of the box. That’s where Falco comes in.
Falco is an open-source container security tool that monitors your Kubernetes cluster in real-time and alerts you of any suspicious activity. In this guide, we’ll walk you through setting up Falco on your Kubernetes cluster and discuss its main benefits.
Install Falco on Your Kubernetes Cluster
There are few methods you can install Falco, details can be found in the official documentation: installation or directly on K8s: deployment. The easiest way to install Falco on your Kubernetes cluster is using Helm. Helm is a package manager for Kubernetes that makes it easy to install and manage applications.
This can be achieved in few steps:
# Add falcosecurity repository
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
# Install the chart
helm install falco falcosecurity/falco --namespace falco --create-namespace
# Verify the installation
kubectl get pods -n falco -o wide
Configure Falco
By default, Falco comes with a set of rules that detect common security issues. However, you may want to customize these rules to fit your specific use case.
To do this, create a YAML file that contains your custom rules. For example:
# custom-rules.yaml
customRules:
custom-rules.yaml: |-
- rule: shell_in_container
desc: notice shell activity within a container
condition: evt.type = execve and evt.dir = < and container.id != host and (proc.name = bash or proc.name = ksh)
output: shell in a container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)
priority: WARNING
Then, apply the rules to your Falco installation using helm install:
# uninstall previous version
helm uninstall falco --namespace falco
# re-install falco with Custom Rules:
helm install falco -f custom-rules.yaml falcosecurity/falco --namespace falco
# or you can actually adjust some settings to your needs, for example
# to enable eBPF probe, and modify output parameters:
helm install falco -f custom-rules.yaml --set ebpf.enabled=true,outputs.rate=.03333,outputs.maxRate=10 falcosecurity/falco --namespace falco
This will actually create configmap
called falco-rules
, you can view it by running:
kubectl get configmap falco-rules -n falco -o yaml
Depends on Your k8s configuration, I noticed it sometimes help to edit the daemonset (kubectl edit daemonst -n falco falco
) and add:
[...]
spec:
containers:
- args:
[...]
name: falco
tty: true # this line
[...]
By starting the container as an interactive TTY, you make sure that the logs are flushed in real-time.
View Falco Alerts
Falco alerts are sent to the Kubernetes API server and can be viewed using kubectl logs:
kubectl logs -n falco falco-pod-name
# tricky way to execute the command without checking falco-pod-name:
kubectl logs -n falco $(kubectl get pods -n falco --selector app=falco --output=jsonpath='{.items[*].metadata.name}')
This command will display all Falco alerts in your Kubernetes cluster. You can also filter the alerts by severity or other criteria.
Benefits of Using Falco
Now that you’ve set up Falco on your Kubernetes cluster, let’s take a look at some of the main benefits of using this container security tool:
Real-Time Monitoring
Falco monitors your Kubernetes cluster in real-time, which means you can quickly detect any suspicious activity as soon as it happens.
Customizable Rules
Falco comes with a set of default rules, but you can also create your own custom rules to detect specific security issues.
Kubernetes Native
Falco is designed specifically for Kubernetes, which means it integrates seamlessly with your Kubernetes cluster and provides a streamlined user experience.
Open-Source and Free
One major benefit of Falco is that it is open-source and free to use, making it accessible to a wide range of organizations and individuals. As an open-source project, Falco benefits from the contributions of a large community of developers and users, who can help to identify and address bugs and security vulnerabilities.
Conclusion
In this article, I’ve explored the benefits of using Falco for runtime security monitoring in Kubernetes, as well as the steps to set it up on your cluster using a Helm chart. With Falco, you can gain visibility into the security of your Kubernetes environment, detect and alert on suspicious activity, and protect your applications and data from potential threats.